libvir-list-bounces@redhat.com wrote on 10/22/2008 05:51:46 AM:

> "Daniel P. Berrange" <berrange@redhat.com>

> Sent by: libvir-list-bounces@redhat.com
>

[...]
> >
> > Again, I could have a three host machines each one with a different
> > policy package say targeted, mls and overt policy package.  If all three
> > understand what a system_u:system_r:virtd_t:s0 type is, then all three
> > could run the image.
>
> I guess my point was that we need a way to determine whether the policy
> on any machine is suitable for running a VM, before placing the VM on
> that host. In the context of a data center mgmt app we can have 100's or
> 1000's of possible virtualization enabled hosts. Not all of these
> hosts will be providing the same level of functionality / same versions
> of software, including selinux policy.


This sounds like there would need to be an API for the retrieval of the current policy module that applies to the labeling of for example the qemu process. A management application would then certainly need to interpret this policy module to understand what labels are possible. How about enabling the update of this policy module by exposing an API that lets one set a new policy so that virtual machines with new labels can be placed? Would this be within scope of the security extensions? The actual labeling of the virtual machine image files could probably have to be left up to other management APIs that may deal with making those virtual machine images available, but nevertheless an API for labeling of VM images may be useful as well.

   Stefan